Appendix E - Implementing Spectrum Single Sign-on (SSO)

Spectrum Spatial Analyst now provides single sign-on (SSO) leveraging the Spectrum™ Technology Platform SSO implementation and Active Directory Federation Services (AD FS). SSO allows logged-in users to access Spectrum Spatial Analyst and Spectrum™ Technology Platform Web-based services with one set of credentials. AD FS allows the sharing of trusted party information, seamlessly, using cookie-based authentication.

For more information refer to Implementing Spectrum Single Sign-on (SSO) section in Spectrum™ Technology Platform administration.

Configuration assumptions and SSO deployment checks

The system administrator must complete the following tasks before enabling SSO in SSA and make the necessary security changes.

Ensure that the system administrator has completed-
  • the deployment of the ADFS server
  • SSO configuration in Spectrum™ Technology Platform

Server configuration for SSO support

Pre-requisites

Your SSA server must be HTTPS enabled before setting up the configurations in this section. Ensure that following two steps are completed:
  1. HTTPS communication configuration between SSA and Spectrum spatial, and
  2. Configuration of HTTPS communication with SSA
If you are new to Spectrum Spatial Analyst, it may be helpful to review these topics:

Set Analyst Login URL

You need to configure the SSO login URL for Analyst in the following file using a text editor -

<serverinstallationlocation>customerconfigurations/_global_/controller.properties

Please amend the entry for the sso.start.url as follows: 

sso.start.url=#ognl("@spectrum_server/sso-integration/?externalapp=y&relaystate="
+requestAttributes["original_request_uri"]
+"/security-check?TargetResource=" 
+urlEncode(requestAttributes["original_request_uri"])
+insertLocale("&"))
Note: The entry for slo.start.url should be left unchanged.

Enabling Guest access

If you wish to enable guest access, ensure that you have completed the configuration - Adding a Guest Role and User for Guest Access

Managing Idle Session timeout

SSA, Spectrum platform and ADFS has separate session management. In SSA you can define the session inactivity period in the Settings tab of the administration console.
Note: For setting the inactivity period on Spectrum platform, refer to Manage AD FS session timeout properties. As a best practice, it is recommend to define all of these properties, with the same timeout value.

Managing and mapping roles

For creating roles, please refer to User and Roles used by Spectrum Spatial Analyst in Spatial Manager guide. After you have created the roles in Spectrum, you may need to map the roles to AD groups.
Note: For more details refer Mapping SSO_STS roles to Spectrum™ Technology Platform roles in Spectrum administration guide.